HIPAA Privacy Practices

Introduction
Most group health plans – including the Carpenters Health and Security Plan of Western Washington – must comply with new privacy rules issued as part of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). These new privacy rules are effective April 14, 2003. One of
the requirements of the new privacy rules is for the Trust to provide you with a Notice of Privacy
Practices. This Notice describes the uniform safeguards placed on certain
health information (known as “Protected Health Information” or “PHI”) used as part of the normal
business practices of this Plan. Important: The Trust has always maintained strict privacy standards.
For example, the Trust has always used health information for its intended purpose only; it
has always maintained paper records in central, secured locations; and it has always required security
clearance for claims processing software. The goal of the new privacy rules is to ensure that all
health care plans meet these uniform privacy standards.

The following are the basic features of the new privacy rules as described in the Notice of Privacy
Practices:

The Notice describes the circumstances under which your health information may be used or
disclosed. For example, as part of processing a claim, the Trust may request additional information
from a health care provider such as a physician or hospital. This information will only be
used to facilitate the processing of that claim. Similarly, if you have coverage under more than
one plan, the Trust will exchange claim information with the other plan to properly coordinate
benefits between the two plans.

The Notice describes how the Trust can answer certain inquires from you, or that are made on
your behalf. For example, the Trust will confirm eligibility, describe benefits and provide general
information as it always has. The Trust will also respond to specific inquires made by you concerning
your health information, after some basic questions are asked to verify your identity.

If a dependent spouse is seeking information about a participant’s claim and is able to provide
claim information (e.g., the month and year of service, the provider’s name, and the procedure)
the Trust will answer claim-related questions. However, if the spouse is seeking other specific
health information, the Trust must obtain a written authorization from the participant. Authorization
forms are available from the Carpenters Trusts.

If you are seeking specific information about your minor child, the information will, in most
situations, be available as before. However, if state law allows a minor child to consent to or
obtain a health care service without parental consent, federal law generally requires that the
Trust obtain an authorization from the child prior to discussing the child’s health information
with you.

The following are examples of when the new privacy rules require the Trust to obtain a written
authorization to release health information:

A participant’s spouse contacts Carpenters Trusts regarding the participant’s mental health
diagnosis on a claim that has been submitted to the Trust. The Trust can confirm the
participant’s general eligibility for benefits. However, federal law requires that the Trust
Office obtain a written authorization from the participant prior to discussing the
participant’s mental health diagnosis with the spouse.

A participant contacts his or her union business agent regarding a medical procedure that
was denied by the Trust as not being medically necessary. The business agent then telephones
Carpenters Trusts about the participant’s medical treatment. Federal law requires that
Carpenters Trusts request written authorization from the participant prior to discussing the
participant’s treatment with the business agent.

State law allows a child who is 13 and older to receive outpatient chemical dependency
treatment without parental consent. The participant’s 15-year-old child obtains such treatment.
Federal law generally requires that Carpenters Trusts obtain a written authorization
from the child prior to discussing the child’s treatment with the participant.

The Notice lists the Trust’s “Privacy Officer” and “Privacy Contact Person,” who has been
designated by the Trustees to answer your questions about the privacy of your health information.
The Trust understands that the changes mandated by the federal regulations may be frustrating
initially. Your patience and understanding as we undertake these changes is greatly appreciated.